Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! ΞΞ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Loving the voodoo concept, but very slow for me on account of both options being on the wrong side of the pond (I presume). I also presume there'll be some this side of the pond soon, but I just wanted to register my enthusiastic pester. MOAR!!! :D More voodoo paths in process of provisioning alrea...

I completely agree, and I hadn't heard of 'GRE tunnels' before reading the 'stream of consciousness' README on voodoo's github. It's fundamentally simple - without the bs every single other VPN provider 'claims' to provide. You (or whoever wrote it) did so transparently - open source - so cryptosto...

I've taken the liberty of opening a very minimalist directory in our existing config repository , on github, for mac-specific config files... which, hopefully, will smooth the process of maintaining these without requiring manual fiddling on the part of members. Mac-specific conf's at github If anyo...

The voodoo network is unique / insane ? I can't explain it verbally, but something below the threshold of my consciousness understands the topology of the network. My sense is that, thus far, we've done a suboptimal job of explaining what voodoo really is. Not for lack of trying, mind you... I susp...

I now know twice as much as I used to know about certs and realize that I know nothing about them at all. I've been messing with x.509 certs as something more than merely sideline - as more of an admittedly unhealthy obsession - for a few years now... and your statement ( "I now know twice as ...

AirVPN kindly pointed out that the cert at: https://resellers.cryptostorm.org is expired/broken as well. Without calling into question the profound - one might even go so far as to say, moving - kindness to be found in such an unstintingly selfless gesture, it does kind of leave one - even a kind o...

We use ram disks... I'm at a loss as to the relevance of "ram {sic} disks" regarding logging policies. RAM "disk" is just another kind of physical storage media; in many respects, it's not dissimilar from SSD "hard disks"... though of course a RAM disk is instantiated ...

....appears to be being ran by... Now, see... that's not really a proper conjugation (in any known tense or mood) within the confines of conventional English grammar. Were I an obnoxious grammar nerd - which, fortunately for you , I'm most assuredly not - I'd unpack that as, err: present participle...

So.... after a little troubleshooting with fermi on IRC I removed OpenVPN program and Windows TAP driver and installed everything once again (i deleted the app data also and all folders) and now it works, it's once again that problem with the tun/tap driver in windows 10, after some updates it gets...

There we go. I gave a long-winded post. It's worth a read. Just follow the OP's link. I might suggest you echo a copy into here... just in case it, you know, gets "accidentally deleted." (not saying that's inevitable, or saying Air specifically has a history of that - I'm actually just ma...

Ohai, it has come to our attention that the current ssl certificate for our IRC chatroom has outlived its expiry date. Specifically, here's the PEM-encoded version of the current cert: -----BEGIN CERTIFICATE----- MIIFUzCCBDugAwIBAgIRAMQhOpL810Yv5/Zpo8tWLEkwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMR...

edit by df: THIS IS NOT ALPHA! this is pre-alpha i.e. not finished yet. Alpha is out and ready to be downloaded. I'll find the link. PJ posted it. Here it is: https://b.unni.es/setup.exe Note that this version linked to above is really, really alpha... nothing wrong with alpha - but remember that it...

Lurky lurky, huh? Much like Rambo in First Blood, covered in mud, stuck to a small cliff-face... eyes open, and BANG. pwned!!! hqdefault.jpg No no... nothing like that, not at all! (but they did draw first blood!!!11! :twisted: ) IMG_2639.JPG ...'twas more like this , of course! 630x341px-80d7a86b_...

DesuStrike wrote:Did a quick client check on SSL Labs with my Windows 7 VM and IE11.I won't do any testing with this VM though. I don't trust this OS even half as far as I can throw Satya Nadella. Sry...

Heya PB - we're getting reports of some cipher mismatches on some browsers. I'm not yet opening the task to formally review these cipher primitives... but I suspect it'll need to be done sooner rather than later. Because c25519, maybe? One can always dream, eh? :-) Any help in pinning down such repo...

In the mean time, I think the best course of action (for stuff like wtvy.com and v0cdn.net) is a github repo of ours that contains a whitelist. People submit something they need whitelisted, and once staff manually verify that the host isn't evil.com, the server-side scripts automagically update /e...

This issue only started last week, but has caused me all sorts of headaches having no access and now a week of wasted work time. Consequently I'm not a fan of any blocking feature you may have. Blocking webpages is a show stopper for VPN usefulness if this is the cause. Gah - apologies for the dela...

It might just be pertinent to wait it out and see if it actually affects users in the long run. Maybe the list will be maintained well enough that it won't be an issue. He did say that it was enabled for a whole week without anyone even having any trouble, maybe we are making too big of deal out of...

Ps. also http://www.datafilehost.com/ is blocked. Seems a bit much :shock: Do note that we're pulling from an external blacklist - not attempting to create such a thing from thin air. Which would be... eeek. Anyhow, I think the underlying repo is open for pull requests and stuff, so if there's some...

Hi PJ, first well done. I am loving this. Crypto love! :D I am already using Crypto dnscrypt from start for all my connections, not only vpn. We need to actually announce the public deepDNS resolvers: they're really handy, and it'd be great for more folks to know they exist. It's been on our core t...

{direct link: cryptostorm.org/TrackerSmacker } {twittery announcement is clicky-here } NEW THING! - there's now a parallel, dedicated forum thread here for the more philosophically-driven critiques of TrackerSmacker... take a look, if that's where you'd like to dip an oar (so to speak). Thanks! Sin...

Welcome back PJ. My genuine thanks for the kind words. It's been... interesting times. Very much glad to be back. Anyway, hope this "cartel spambot" story will not compromise/prejudice the crypto service for the future. ;) Heh, no worries mate! :-P Honestly, we've been dealing with this s...

Here's a discussion we've been having with one of our datacentres, which provides a bit of inside-view on how these cartel spambots operate: an extortion scheme, basically. UPDATE : here's the latest reply from the datacentre (which I've also added into the proper message flow, down towards bottom o...

While it's not entirely clear who kat.cr's admins are pointing the finger at in this recent blog post , suffice to say that the nastyware issues relating to kat.cr are not limited to "lazy" people running "unofficial" proxies or mirrors (some of which are, without doubt, totally ...

http://www.download.windowsupdate.com is a dodgy one... more so now than ever before due to the release of Windows 10. The long list of DNS addresses that Windows calls out to also contains the above address. Keeping in mind that this hostname has been formally tied (per above posts) to APT-class m...

Your critique is pretty much accurate, and on behalf of the team we thank you for posting it here. The bottleneck with our email support responsiveness in the last month or so actually isn't related to finances whatsoever. Indeed, our growth trajectory isn't held back due to any such constraints, bu...

Also during the shift-over to new infrastructure, some of the permissions masks we've had for years were inexplicably scrambled. We've been de-scrambling as soon as bug reports appear, and it looks like most we've settled by now. But if there's further permissions wtf's, post details as it's likely ...

This is most excellent news, and congratulations on the progress made thus far. We've been supporters (in concept, if not as much in actual lines of useful code) for years and it's with genuine enthusiasm that we're fast-tracking cryptostorm's bytecoin payment integration to ensure we're up and runn...

We have been integrating a new, less technically intense platform over at [nb]pure.cryptohaven.net[/b] , and to be honest we're still learning how to coordinate information posted there with threads here. In this case, we provided an update on Fenrir and associated Icelandic infrastructure at crypto...

Amazingly similar design elements getween dotvpn and vemeo.com ... Right down to the "testimonials on dotvpn: The fast speed and exceptional quality I need. I strongly recommend it without any reservations. I hope that in future DotVPN will continue to provide exceptional quality. Maria Gomez C...

Added direct mapping to the thread, for ease of reference: cryptostorm.org/dotvpn I'd like to unpack that .rar and get the javascript posted up in the cleanVPN repository . If anyone has a minute to do that, meanwhile, that'd be great :-) edited to add : put up a dotvpn directory so it's there and r...

Ok I changed port to random port in the Widget. after that no more problems. Things are working perfectly now after several reboots/Widget restarts. Haven't seen this since. I received mail from some one in support saying they found the problem. I can confirm that we'd added capacity over the weeke...

UPDATE: This happened to me again today. By changing to a random port , on the widget I got the conn back to green on the test page. To get this working yesterday, I was instructed to change from the default port 'on the widget' to port 88888. This got it working. Somethings going on. :crazy: Hope ...

I'm having similar funkiness issues. ipleak.net seems to check out, in that all the information seems the same. Only difference is the unfamiliar IP address. That IP address is unfamiliar to https://cryptostorm.is/test as well. I have a suspicion this is a simple oversight on our part. We've been a...

{direct link: cryptostorm.org/balrog} This essay forms one section of a broader paper describing a global survellance technology we have dubbed Corruptor-Injector Networks (CINs, or "sins") here at cryptostorm. As we have worked on the drafting and editing of the larger paper, we saw as a...

This is what I meant in my previous post about constant disconnections. You have to reload a page constantly - this happens with all nodes. This means that the connection is either slow or unstable and constantly disconnecting Hey there, what you're describing is absolutely not something you should...

I'm still a bit out of the operational loop, but I did overhear df discussing this issue yesterday and I know there's been some testing work going on meanwhile. That datacentre does get quite a but of packet shrapnel from DDoS attacks running across the backbone interconnects in Frankfurt, but norma...

{direct link: cryptostorm.org/#sauronseye } ( note : this post continues discussion started in a parallel thread , which provides useful backstory ~pj) I've sat down to write up this summary of recent investigative and sanitization work I've undertaken after identifying a form of polymorphic, brows...

Ok, well it's been a week since I posted my pre-summary summary note above on what I was then referring to as "svgbola" in recognition of the .svg-based 0day expliots recently patched by Mozilla, and used against visitors to Tor hidden services. At the time, I felt I'd largely gotten to th...

{direct link: cryptostorm.org/svgbola } As I've been settling back into things after a few days of largely afk time with the family on an out-of-town trip, I've had a tab open waiting for this post to write itself... and the tab's still largely devoid of text. This suggests to me that there's a nee...

If I made a mistake, please say so. You can contact me at ohnoes@openmailbox.org Note: I AM NOT STAFF That may be the case, but if you choose to register an account here, we're happy to stripe it with moderator permissions for the cryptofree subforum so that you can extend your purview into some mu...

{direct link: cryptostorm.org/paperchase } Last week, some of our friends in twitter provided an excellent suggestion: why don't we put together a collection of academic papers on network security & cryptography? Having pondered that over the holiday weekend, I concur 100%. As is true for every...

We are available to provide any information you need. We'd missed this post, until a member was kind enough to point us towards it. Our apologies for the delay in reply, no disrespect intended. Under GitHub we release ALL the source code related to our client: https://github.com/AirVPN/airvpn-clien...

So the next obvious question is also a rather pertinent one. How can we network members support this initiative? Bitcoin and Namecoin server instances? Keyserver instances? Hidden versions of the above? Other things? One of the cool things about what is now known as the much more marketing-friendly...

{direct link: cryptostorm.org/keychain } github repository: github.com/cryptostorm/KeyChain Late last week, I made use of the opportunity to lay out some of the ground-level work we as a team have been doing since last fall, via a post at our crypto.cricket blog . As I was "volunteered" f...

What we describe on that link I gave you is a simple protocol using asynchronous key exchange with RSA (PKCS1 padding). We have not rewritten SSL, that would be pretty stupid since is SSL had so many problems throughout its history. We are using the BouncyCastle library for the main crypto function...

{direct link cryptostorm.org/HMAl2p } {this segment of a longer thread regarding our DA-auth framework is being released here, prior to the full thread's publication, as there's ongoing pre-publication editing taking place with the full thread that's run longer than expected & we felt this info...

So I asked from CS team opinion about Countermail and they did reply to me so I posted this reply to countermail and they didn't really explain anything they just attack me by saying. Since they seem to refuse to answer any more detailed answers can anyone of the members here explain? Bascially a s...

Hey there, I think we just provided more or less the exact same reply in email, but you''l want to take quick read through the Mac howto , here in the forum, if you've not done so already. This not really a scary cryptographic error - it's just some missing step in the login process that's preventin...

I don't even need to read the details of the above post to know what's happened, as it's one of those universally frustrating things that we have all been thorough - fortunately, it's much easier to get beyond than it might seem. This is a divergence in the mechanism by which openssl reports its ver...

I see TLS 1.0 in that pic you posted. is that right? I kinda assumed CS was TLS 1.2 and non-backwards compatable. Isn't TLS 1.0 vulnerable to beast and poodle? Nah, there's nothing intrinsically terrible about 1.0. Most all the core patches for the BEAST-class stuff have backported to 1.0 concurren...

I'd finished most of the research to reply to this a few days back, then managed to get pulled off the project and now I've to gather up the data for posting. I should have that done properly, in short order. Meanwhile, I believe the answer is that there's two closely related OpenSSL cipher suites i...

Also we have no name for it , apart from "the i2p gateway access thing"... which does, indeed, suck. "eepstorm"? "TI 2 " (Truly Invisible Internet)? :) There's been moves towards "i2pstorm" but that... well, you can imagine. Got2pstorm, etc. ;-P It'll appear,...

The mods are going to authorise a post I made earlier... sent it via TAILS. Sorry, from what I can gather, connecting to CS on TAILS is not available at the moment. After setting it all up, I saw in their FAQ they don't support VPN over TAILS... over TOR yes, over TAILS no. Heya, apologies for comi...

Rollout is complete, but it's sort of been waiting on an official announcement. Which in turn is waiting on some final work on torstorm's public access announcement. Which, in turn, is waiting on... Anyway, marketing stuff - which we suck at. So it takes longer than usual for us to do it... and it's...

Hi, I'm just testing cryptostorm here, what's the deal with "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info." in the logs? I understand you're using a self signed certificate but what about this: http://openvpn.net...

{cross-posted to twitter ~admin} Ran it in a sandbox, right clicked to install "CTL"... rundll32.exe kicked up a fuss, wanted to talk to 23.63.99.202 (Akamai)... According to an anti-executable... command line switch - "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpen...

Here's a search query on the "social" side of TechNet that turns up a vast pool of questions relating to this hostname; I've only just begun reading, but wanted to post out the full search so others have easy access meanwhile, as well: https://social.technet.microsoft.com/Forums/en-US/home...

A colleague pointed out a long thread on Microsoft's TechNet site, discussing the http://www.download.windowsupdate.com host and the files it serves. Here's one sample post , from 2009: THIS SOLVED MY PROBLEM downloaded & installed this file..... http://www.download.windowsupdate.com/msdownload/...

I've taken the liberty of splitting off the "funky CRL subdomains" topic into its own dedicated thread , as it had basically taken over this one. I may go back and pull some of the findings still in posts above, relating to the CRLs, and move to the new thread, but that seems a spot of wor...

Looks like the two ends of the bridge are coming closer together. Here's a confirmation from Malware Must Die that the hostname crl.comodoca.com is used to deliver a payload 'EssentialSSLCA.crl' - which then gets installed into the trust store, which then... it's quite a chain, isn't it? 012.PNG Thi...